| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds nfct_callback_register2() and nfct_callback_unregister2()
that allows to register a callback function with a new callback interface
that includes the Netlink message. This fixes an early design error.
This is not nice but it is the only way to resolve this problem without
breaking backward (I don't like function versioning, it is messy).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes some minor issues that confuse kernel-doc in the
generation of the API reference documentation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch removes unnecessary flags included in NFCT_Q_DUMP,
NFCT_Q_DUMP_RESET and NFCT_Q_DESTROY requests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the BSF automatic generation code. This
feature needs more love and it has several limitations like
that the maximum number of IPs are 127 due to BSF code
restrictions. See this patch as a first step forward.
This patch also adds the stack data type, which is used to
resolve jump dynamically instead of the previous static
approach.
This patch also includes fixes in the limitations, previous
calculations were wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a NULL dereference to a function pointer in
nfct_copy() that is triggered when you try to copy the helper
name. This patch also adds an assertion to easily report similar
problems in the future.
Thanks to <pageexec@freemail.hu> for his detailed debugging report.
Reported-by: Wolfram Schlich <lists@wolfram.schlich.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This new function checks for the presence of a given set of
attributes that are passed as an array.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new API allows you to set and get some logical set of
attributes. This is not intended to replace the existing
per-attribute get/set API but to provide more efficient way
to get/set certain attributes. This change includes an example
file (conntrack_grp_create.c) of the use of the attribute group API.
See ATTR_GRP_* for more information on the existing groups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch introduces likely() and unlikely() that use
__builtin_expect to assist the compiler in the branch decisions.
I am assuming that we have no clients of libnetfilter_conntrack
that use gcc < 2.96.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NFCT_CMP_MASK and NFCT_CMP_STRICT which determines the
level of strictness that is applied to the comparison of two conntrack
objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In nfct_build_query() the *data argument is converted into a u_int8_t*.
This works for little-endian but not for big-endian.
Signed-off-by: Albert Veli <albert.veli@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch cleanups the internal headers by splitting them into several
logical pieces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch introduces nfct_filter_set_logic() to set the filtering
logic which results in a more flexible solution.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds an abstraction level to berkeley sockets filter (BSF) for
Netlink sockets available since Linux kernel 2.6.26. This provides an
easy way to attach filters without knowing about BSF at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
alignment.
Signed-off-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- recover the ID support
- add support for timeout comparison
- ignore set operation for counters and use attributes
- fix broken status comparison
- statify several __snprintf functions
|
|
|
|
|
|
| |
- add nfct_copy
- conditional build of original and reply tuples
- fix secmark parsing
|
| |
|
| |
|
|
|
|
| |
work on big-endian. Philip Craig <philipc@snapgear.com>
|
| |
|
|
|
|
| |
C99 convention)
|
|
|
|
|
|
| |
- introduce the new compare infrastructure: much simple than previous
- introduce nfct_maxsize for nf_conntrack object allocated in the stack
- more strict checkings in nfct_set_attr: third parameter is const
|
| |
|
|
|
|
|
|
|
| |
- document that ATTR_*_COUNTER_*, ATTR_USE and ATTR_ID are unsettable
- implement getter for the ATTR_USE attribute
Based on patches from Victor Stinner.
|
|
|
|
|
| |
- introduce NFCT_O_PLAIN flag: NFCT_O_DEFAULT points to NFCT_O_PLAIN
- remove commented line in nfct_new()
|
|
- object oriented infrastructure
- extensible and configurable output (XML)
- low level functions to interact with netlink details
- fairly documented
Still backward compatible.
|